Join over 2 million IT and cyber professionals advancing their careers

Video Transcription

Kerberos is used in windows and in Windows Active directory. Excuse me. When was active directory supports and tell em, but would rather use Kerberos.

00:18

Karos is a lot more secure.

00:20

Developed a m i t.

00:24

They fall within the casement windows 2000 higher networks and also supports you, Nick Networks in UNIX. You'll you may actually see it labeled as a Kerberos realm.

00:35

That's what they call the equivalent to an active directory domain.

00:40

Why could rose

00:43

one time with indication what they do in the sea if it's in here?

00:48

Yep. Lady. Okay.

00:50

One time authentication for multiple network service is used. Indicate once and then you're good. You don't have to get re challenged every time you go back to that printer. Every time you go back to the file,

01:02

use the strong cryptography,

01:03

um, and tell him can be broken. The hash algorithms aren't good enough,

01:10

and you can authenticate two ways you authenticate the server you're talking to is really the server you think you are. And the server. Then, in case that you're really the user that you say you are

01:23

so server Corbeau servers or the active directory domain controller is actually a key distribution center,

01:29

and what it does is it grants tickets

01:33

and access to resource is is done. Buy tickets.

01:38

So what's funny about it is the first ticket it grants is a ticket granting ticket

01:46

sound right

01:47

Okay with you.

01:49

So when you first authenticate to the to the active directory or to the domain,

01:53

you get a ticket branding ticket

01:57

that take a granny ticket allows you to ask for

02:00

used tickets.

02:02

So when you want to go use a resource on a server, you take your ticket granting ticket and say, I need to use ticket from you.

02:09

So if it's a file server, the file server will take your ticket granting picket. Check it, verify it. If it's correct, then it gives you a use ticket, and then you use the use ticket

02:21

for your access to that service,

02:24

and we'll make that work is once I'm giving that used ticket. I don't have to authenticate again. What do I have that ticket,

02:31

and by the way of the tickets piece of the paper,

02:35

what do you think they might be?

02:38

A little bit of certificates,

02:42

so that's the idea behind it.

02:44

is

02:45

want to authenticate to a resource,

02:47

then it's all going to maintain that ticket. You can go back to that resource and continue to use it. Now. The tickets do eventually expire. How it happens is when they expire, itjust renews and gives you a new certificate again.

03:01

You and your ticket.

03:07

At that point, you are rethinking when you get the new ticket, but only long enough to get a ticket. Not every time you try to access the resource.

03:21

So K D. C. It's called the key distribution center, and that's the place with the copy of the user's credentials. So in Windows, what would that be?

The T G T. Is used to get a service ticket for some network service. You want to talk to you? Do you wanna print? You want to get a file you want to connect to the mail server, whatever it is and the service ticket goes back.

04:11

And now you take that service ticket, and every time you want to go to that resource, you just present the service ticket.

04:16

And because the service tickets already been authenticated, you don't have to be re authenticated every time you go.

04:28

So

04:29

that's Karos. What is my weight? Direct

04:31

my way. Directory access protocol L dap.

04:36

I know it's a subset of the Exxon 500 standard.

04:41

Everybody feels much better now knowing that, right?

04:45

The extra 500 standards is this huge standard for naming conventions and how you write names out.

04:51

You most likely to know Exxon 500 because extra 500 is what email names are built out of

05:00

Exxon five hundred's what D. N s names are built out of,

05:03

they all compliant with the extra 500 standard.

05:06

So in l doubt they took a subset of the Exxon 500 standard and says much right user names out of them.

05:15

So they're just a consistency thing

05:18

is also an object oriented model,

05:24

and what it means is that the user account is an object.

05:29

Ah, machine account is an object

05:34

and

05:35

the way they used optics is the object. If I have a user accounts and I have a password

05:43

or I have some authentication method, I also have the ability to go around the system with a certain set of rights.